1. Field of the Invention
The present invention concerns a terminal and a system for performing secure electronic transactions.
2. Description of the Related Art
Public digital data transmission networks, such as the Internet, are expanding at a considerable: rate. However, the performing of secure electronic transfers on this type of network is currently being hampered, among other things, by the lack of security mechanisms associated with such transactions, reflected in a lack of confidence on the part of network users and operators.
In the context of this application:
an electronic transaction designates an exchange of information via a public digital data transmission or telecommunication network, either between two or more users or between a user and a service provider,
a function is a process carried out in order to render a service to a user,
an application designates a consistent set of services and functions,
the expression xe2x80x9capplication softwarexe2x80x9d designates the software needed to perform the functions relating to a given application, and
a secure transaction is a transaction for which security measures are implemented, namely authentication of the entities participating in the transaction, integrity, confidentiality, authenticity and possibly non-repudiation of exchanges and operations effected in the context of the transaction.
Many applications require secure electronic transactions. Examples are controlling access to computer or similar resources, home banking (statements, transfers between accounts, etc . . . via the telephone network or the Internet), electronic trading (purchase of goods or services via a public network), electronic mail, electronic purse, etc.
These and other applications requiring secure transactions are well known to the skilled person and are not described in detail here.
Depending on their nature, rendering such applications secure necessitates the use of one or more security services such as:
authentication, to guarantee the identity of an entity (a person or a system);
access control, protecting against unauthorised use or manipulation of resources;
confidentiality, prohibiting disclosure of data to unauthorised entities;
data integrity, which assures that data has not been modified, deleted or substituted without authorisation, and
non-repudiation, which assures that a participant in an exchange of data cannot subsequently deny the existence of the exchange.
The combination of two existing techniques makes it feasible to employ the above security services, so offering a sufficient level of security for the performance of electronic transactions.
These are:
public key and private key cryptography, because it guarantees non-repudiation and facilitates management of keys; and
the integrated circuit (or smart) card, because it is relatively inexpensive, easy to use and reliable because it uses dedicated microprocessors with hardware and software protection features so that read and write mode access to their memory can be barred.
Integrated circuit cards offer the following services:
authentication of the cardholder or user: this operation authenticates the cardholder by means of a confidential code after which the card allows operations such as executing algorithms, reading secret keys, reading or writing data on the card, which can also be subject to other security conditions;
protection of data and functions stored on the integrated circuit card. Access to the card can be subject to prior authentication of the electronic entity requesting to access it. This external authentication is generally effected in challenge/response mode. In this case the entity has a secret parameter, hereinafter also called the secret, enabling it to calculate, depending on a challenge issued by the card, a response that will prove to the card that it is in possession of the secret;
execution of cryptographic algorithms using a secret parameter stored on the card (encipherment, message authentication, signature); and
internal authentication. This service enables an application to authenticate the card. This service is the inverse of external authentication. The card generates a response to a challenge received, using a secret stored on the card.
The services offered by means of the integrated circuit card are performed on receipt of so-called elementary commands, execution of the elementary command causing the sending of elementary responses. The elementary commands concern, for example, cryptographic calculations, reading or writing of secret or other data, intervention of the user (entry of their personal confidential code (PIN), validation of a transaction after signature), and return of information to the user (display of messages to be signed, for example).
Some cards offer the facility to verify the integrity, source and even the confidentiality of commands sent to the card. These services are based on techniques of authenticating and enciphering the commands.
The current use of integrated circuit (or microcircuit) cards offers a very high level of security because the transactions are essentially performed on private networks and terminals (automatic teller machines, point of sale terminals, for example) which are under the control of an entity assuring the security of the system as a whole.
In such applications, users or abusers do not have access to the application software or to the hardware and software security mechanisms of the terminals.
In contrast, performing secure transactions using integrated circuit cards on a public network presupposes that users have access to a card reader terminal module, given that microcircuit cards do not have their own electrical power supply and that using them requires a reader that can power them up and establish communication with the user and/or external electronic means.
At present, to perform a transaction on a public network, the user employs a terminal that can be a dedicated product, a personal computer or a personal computer connected to an integrated circuit card by a card reader.
In all cases, the transaction system accessible to the user generally comprises:
an application service provider, for example an Internet browser, an electronic mail program, a home banking program,
a high-level security service provider enabling execution of low-level cryptographic mechanisms required by the application.
The application service provider issues requests for high-level security services to assure the security of the transactions performed.
If the application is installed on the user""s personal computer, the cryptographic services referred to are, for example, those defined by RSA laboratories in its standard xe2x80x9cPKCS 11: Cryptographic Token Interface Standardxe2x80x9d or the cryptographic services offered by the Microsoft Windows NT operating system, in particular those available via the xe2x80x9cCrypto APIxe2x80x9d application program interface (API).
If the user does not have an integral microcircuit card reader, the cryptographic services are effected entirely by software.
If the user wishes to enhance security, they use a transparent type integrated circuit card reader connected to their computer. A transparent type card reader is in fact an interface module between the computer and the integrated circuit card for transmitting elementary commands from the computer, originating from the cryptographic service provider, to the card, and elementary responses from the card to the computer. Using this terminal, consisting of their terminal modulexe2x88x92computer+readerxe2x88x92coupled to their card, a user can perform electronic transactions (electronic shopping, for example).
Of course, access of users to a terminal of this kind generates potential security risks.
The more decentralised the applications the greater the risk. Conversely, the better the control of the risks at the terminal end, the more decentralised can the applications be. Consider purse type applications, for example, in which transactions (purchaser card debit/merchant card credit) are effected card-to-card, without requiring consolidation of the transactions at the level of a centralised server.
It follows from the foregoing discussion that a terminal can potentially contain a set of information (or even software) on whose confidentiality and integrity the security of the application relies. Consider, for example, secret keys used to authenticate the terminal modules vis a vis the card or to encipher data transferred between a server and the card reader terminal module. An abuser with access to the terminal can analyse its operation and obtain access to the confidential information and software.
Note also that the applications referred to here, such as electronic shopping and electronic mail, are usually performed via the Internet. Experts are well aware that a personal computer (PC) connected to the Internet is highly vulnerable to viruses which can be installed and execute on the user""s PC without them knowing it and without them allowing physical access to their computer to anyone at all. The totally invisible nature of this type of threat is the real danger currently limiting the deployment of transaction-based applications using the Internet. The same comments apply to electronic shopping applications on cable TV networks using set-top boxes connected to the TV set and incorporating one or two smart card readers.
The system level risks are then:
Attack on the integrity of the cryptographic service provider and the application service provider with the aim of modifying the behaviour of the terminal module: for example, the terminal module is modified to capture information associated with the card and to store the information obtained for subsequent communication to a counterfeit server. This attack can be carried out unknown to the legitimate user (substitution of the user""s terminal module or loan of a modified terminal module). This attack can then be generalised by circulating counterfeit terminal modules.
Attack on the confidentiality of the cryptographic service provider, with the aim of obtaining the cryptographic keys they use, which are stored on the hard disk of a computer, for example.
Attack on other cards, based on the ability to authenticate the abuse vis a vis other cards by virtue of the secrets discovered by attacking the confidentiality of the service provider.
Attack on the integrity and the confidentiality of communications between the various entities (application service providers, cryptographic service providers, integrated circuit card reader, integrated circuit card, server) to break the chain of confidence established between these elements. For example:
1xe2x80x94deciphering communications between server and terminals;
2xe2x80x94inserting third party software between the application service provider and the cryptographic service provider to break the chain of confidence between these two programs or to substitute for the application software third party software causing the security service provider to execute security requests with a different aim to that of the application known to the user.
Attack on servers (in the case of an on-line application): connection of a counterfeit terminal to a server, emulation of a terminal module/integrated circuit card combination to obtain advantages.
An attack on the chain of confidence between the cryptographic service provider and the application service provider in the context of an application requiring an electronic transaction using an integrated circuit card to be signed is illustrated hereinafter. The transaction proceeds as follows:
Step 1: verification of the personal confidential code (PIN) of the user, entered by the latter via a keypad associated with their terminal module, the code entered being sent to the card for verification by the latter.
Step 2: authentication of the terminal module. The latter sends a xe2x80x9cchallenge requestxe2x80x9d command (a challenge is a random or pseudo-random number). The integrated circuit card generates the challenge and sends it to the terminal module. The terminal module sends the card an xe2x80x9cexternal authenticationxe2x80x9d command accompanied by a response consisting of the challenge enciphered by a key held by the terminal module. The integrated circuit card then verifies the response received.
Step 3: if steps 1 and 2 are executed satisfactorily, the integrated circuit card is ready to receive and to execute the signature command, i.e. command of encipherment, using a private key stored on the card, of the result of a hashing operation performed on the transaction entered by the user. After this encipherment the card sends to the terminal module the signature consisting of the result of the hashing operation enciphered in this way.
If the integrity of the application software (application service provider and its cryptographic service provider) is not assured, a hacker does not need to know the secret code and keys to pirate the transaction system; all that is necessary is to implant in the terminal module, for example the personal computer to which an integrated circuit card reader is connected, virus type software which in step 3 diverts the authentic data to be signed and sends falsified data to the card. Given that steps 1 and 2 have been executed in a satisfactory manner, the card will then sign the falsified data on the basis of the PIN that the user has entered and the user will believe that the card is about to sign their own data.
The preceding example shows the necessity of protecting not only the confidential information used in the context of a transaction but also the integrity of the transaction, i.e. the integrity of the behaviour of each entity involved in the transaction, together with the integrity of the behaviour of all of the software, assuring that the chain of confidence established between the various entities is broken.
The risks of attack mentioned hereinabove are currently covered in part by terminalsxe2x80x94integrated circuit card readers integrating security modules (SAM, similar to an integrated circuit card) used in the context of purse applications in particular. The reader is then personalised by a SAM and assigned to a merchant, the cards read being those of customers. The SAM contains secret information and is able to execute algorithms using the secret information. However, it does not contain means for controlling communication with the user, with the integrated circuit card and/or with external electronic means, and for this reason the security of transactions is not assured.
Document WO 95/04328 discloses a terminal module comprising user interface means and interface means to external electronic means (hereinafter called external interface means) including an interface with a microcircuit card. The microprocessor of the terminal module comprises data storage means (ROM, EEPROM, RAM). The data stored in permanent memory (ROM) includes an operating system, managers of external components controlling the interfaces and peripheral devices, and an interpreter capable of interpreting program modules written in a specific language. The program modules are stored in the semi-permanent memory EEPROM and can be loaded into temporary memory RAM to be executed by the microprocessor on activation of an appropriate interface by the user. The program modules corresponding to the applications of the terminal module are downloaded into the EEPROM of the microprocessor or into a microcircuit card from an external server.
The terminal module of document WO 95/04328 can operate:
in autonomous terminal module mode, the microprocessor of the terminal module executing a program module stored in an internal memory without calling on an integrated circuit card;
in autonomous terminal mode, in which a program module stored on a card is executed;
in extended terminal mode or on-line mode, in which the microprocessor of the terminal module or that of the card executes a program module and communication is established via the telephone, a modem or a direct connection to a service provider or a server; and
in transparent memory card reader mode, in which instructions received over a serial link are sent directly to the card and vice versa.
The terminal described in document WO 95/04328 does not deal with security problems addressed by the invention in that there is no description of how to secure a transaction to guarantee the integrity of the behaviour of all of the software executing the transaction. In particular there is no description of means for executing high-level requests issued by the application or how to guarantee the source, the integrity and the confidentiality of such means.
The present invention aims to provide a terminal for carrying out secure electronic transactions of the type comprising a personal security device such as an integrated circuit card or other device fulfilling the same functions and a terminal module provided with means of interfacing the personal security device, such as an integrated circuit card reader, and offering by virtue of its software and/or hardware architecture and the security mechanisms that it includes an enhanced level of security compatible with the fact that the terminal can be under the control of users (as opposed to terminals under the control of the operators).
A second objective of the invention is to assure this same level of security whilst enabling integration, during use, of new functions or applications, or modification of existing functions or applications without having recourse to a multitude of different terminal modules and without changing terminal modules to effect such modifications.
To this end, the invention consists in a terminal for execution of secure electronic transactions by a user in conjunction with at least one application installed on an electronic unit, said terminal comprising:
a terminal module including at least:
first interface means with said application for receiving from it requests relating to said transactions,
second interface means with said user;
third interface means with a personal security device,
first data processing means comprising at least first software means for controlling said interface means, and
a personal security device including at least second secure data processing means comprising at least second software means for executing elementary commands and means for executing cryptographic computations, characterised in that:
said terminal is adapted to receive said requests from said application installed on said electronic unit in the form of high-level requests independent of said personal security device,
at least one of said terminal module and said personal security device comprises:
at least one reprogrammable memory for storing at least one filter program translating said high-level requests into at least one of either (i) a sequence of at least one elementary command for being executed by said second software means of said second data processing means, or (ii) a sequence of data exchanges between said terminal module and said user via said second interface means, said data exchanges being executed by said first software means of said first data processing means, and
means for protecting said filter software to prevent an unauthorised person reading and/or modifying said software, and
at least one of said first and said second data processing means comprise a data processing device for executing said filter program.
The invention defined hereinabove achieves the security objectives required for carrying out electronic transactions by virtue of the fact that it describes a filter or xe2x80x9cfirewallxe2x80x9d between the external world, i.e. the applications themselves, and the security means and peripheral devices that it controls, by means of a logical interface defining the format of high-level requests issued by the applications and of a translation software for processing these requests.
The terminal of the invention preferably comprises one or more of the following features, possibly in combination:
said device for executing the filter program comprises first means for identifying and/or authenticating said application installed on said unit or the source of said requests sent by said application,
said data processing device for executing said filter program comprises means for verifying the integrity of data received from said application,
said data processing device for executing said filter program comprises centralised means for controlling conditions of use of services of the personal security device in accordance with said application and/or the user,
said data processing device for executing said filter program comprises:
means for commanding secured loading of said filter program into said programmable memory via said first or said third interface means from an entity external to said module, and
first access control means for authorising said loading of said filter program only in response to at least one predefined condition,
the terminal comprises second means for authentication of said first data processing means by said second data processing means,
the terminal comprises third means for authentication of said second data processing means by said first data processing means,
the terminal comprises a first communication channel between said first data processing means and said second data processing means and first means for securing said first communication channel,
the terminal comprises fourth means for authentication of said terminal module by said user, independently of said card,
said fourth authentication means comprise means for calculation by said first data processing means and for presentation to said user via said second interface means of a password known to said user and computed on the basis of a first secret parameter stored in said first data processing means,
the terminal comprises fifth means for conjoint authentication of said terminal module and said card by said user, and
said fifth authentication means comprise means for computation by said device for executing said filter program and for presentation to said user via said second interface means of a password known to said use and computed on the basis of at least second and third secret parameters stored respectively in said first data processing means and said second data processing means.
In a first embodiment of the invention the terminal module is a personal computer and said programmable memory is the hard disk of said computer, said filter software is executed on the personal computer, or in a second mode of execution said programmable memory is on a secure server connected to the personal computer, the part of the filter software to be protected being executed on said secure server.
In a second embodiment of the invention the terminal module is a device such as a dedicated integrated circuit card reader, in which case said personal security device is an integrated circuit card or a personal computer. This embodiment differs from the preceding one in that said programmable memory is integrated into a secure microprocessor, said filter software being executed in said secure microprocessor. The dedicated terminal module can be portable.
Depending on the mode of execution of this second embodiment of the invention, the programmable memory for loading and storing the filter software can be in the personal security device or in the terminal module. In the latter case the terminal module can include a single microprocessor for executing the filter software and for controlling the interfaces or two microprocessors respectively implementing these two functions.